Data Firm 'Eavesdrops,' Collects Keystrokes, Mouse Clicks, Class Action Alleges
Quantum Metric’s (QM) “wiretapping” of CVS website visitors' electronic communications violates California and Pennsylvania privacy statutes, a class action against the data firm (docket 1:24-cv-01154) alleged Thursday in U.S. District Court for Colorado in Denver.
QM's wiretaps, embedded in computer code on CVS.com, “secretly observe and record website visitors’ keystrokes, mouse clicks, and other electronic communications,” the complaint alleged. The wiretaps also record visitors' personally identifiable information (PII), such as prescriptions and over-the-counter medications, it added.
In May, plaintiffs Jalleh Doty of San Pedro, California, and Jeffrey Ogden, a Selinsgrove, Pennsylvania, resident, visited CVS.com. Doty browsed over-the-counter medications and refilled prescriptions; Ogden refilled his prescription medications, the complaint said.
During both plaintiffs’ visits, their electronic communications -- including the URL values of pages they visited, showing medications they browsed and refilled and terms they entered in the search bar -- were “read, accessed, learned, and intercepted in real time” by Quantum Metric “through its software-as-a-service,” the complaint alleged. Neither plaintiff consented to the interception or disclosure of their PII, it said.
One of the data firm’s services is session replay, which reproduces a user’s interactions on apps, capturing actions such as mouse movements, clicks, typing, scrolling and swiping. When a user interacts with a website, the document object model of the website is altered; QM’s session replay service logs those changes and compiles a “video recording” of the user’s visit, the complaint said. Third-party replay scripts collecting page content can cause sensitive information such as medical conditions and credit card details “to leak to the third-party as part of the recording,” the complaint said. This can expose users to identity theft, online scams and other unwanted behavior, it added.
QM can also analyze captured information with services such as AI and then “further disclose” PII to third parties, the complaint said. QM provides CVS and other partners behavioral, technical and business metrics, collecting more than "300 audience dimensions such as browser, device type, and location,” it said. Those metrics include clicks, taps, form submits, page views, typed text and “frustration signals,” the complaint alleged.
Because QM can capture, store and interpret “real-time data,” it's more than a tape recorder, the complaint said, citing Yoon v. Lululemon, which found Quantum Metric more like “an eavesdropper standing outside the door.” QM is “a separate and distinct third-party entity from the parties to the conversation” -- in this case plaintiffs and class members on one side and CVS on the other -- and “eavesdrops upon, records, extracts data from, and analyzes a conversation to which it was not a party,” the complaint said.
QM provides these services to website owners for a fee. Despite representations to the contrary, QM captures “a host of medical information” on clients’ websites, in a “non-anonymized manner,” it said. QM captures searched terms and products and products loaded into shoppers’ virtual carts, including prescription medications, it said. At the same time, the defendant is also capturing the user’s account name and IP address, “meaning the information captured is in a non-anonymized format,” it said.
Plaintiffs claim violations of the California Invasion of Privacy Act and the Pennsylvania Wiretapping and Electronic Surveillance Act. They seek compensatory, punitive, and statutory damages; prejudgment interest; an order of restitution; injunctive relief; and attorneys’ fees and legal costs.